Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Sep 2010 19:17:40 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org
Subject:   svn commit: r213249 - stable/6/sys/netinet
Message-ID:  <201009281917.o8SJHebT083134@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: bz
Date: Tue Sep 28 19:17:39 2010
New Revision: 213249
URL: http://svn.freebsd.org/changeset/base/213249

Log:
  r201663 introduced a bug in stable/6 that prison_ip() might change the
  passed address argument, while we are only interested in whether it is a
  valid address of the jail.
  This can modify an address in the live interface address list with an
  address of the jail.  Make a copy of the address for the call to
  prison_ip() to avoid this.
  
  Reported by:	Andreas Longwitz (longwitz incore.de)
  Tested by:	Andreas Longwitz (longwitz incore.de)
  PR:		kern/114325

Modified:
  stable/6/sys/netinet/in.c

Modified: stable/6/sys/netinet/in.c
==============================================================================
--- stable/6/sys/netinet/in.c	Tue Sep 28 15:33:30 2010	(r213248)
+++ stable/6/sys/netinet/in.c	Tue Sep 28 19:17:39 2010	(r213249)
@@ -252,12 +252,15 @@ in_control(so, cmd, data, ifp, td)
 	 * the first one on the interface, if possible.
 	 */
 	if (ifp) {
+		struct in_addr tmp;
+
 		dst = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
 		LIST_FOREACH(iap, INADDR_HASH(dst.s_addr), ia_hash)
 			if (iap->ia_ifp == ifp &&
 			    iap->ia_addr.sin_addr.s_addr == dst.s_addr) {
+				tmp.s_addr = dst.s_addr;
 				if (td == NULL || !prison_ip(
-				    td->td_ucred, 0, &dst.s_addr))
+				    td->td_ucred, 0, &tmp.s_addr))
 					ia = iap;
 				break;
 			}
@@ -265,9 +268,11 @@ in_control(so, cmd, data, ifp, td)
 			TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
 				iap = ifatoia(ifa);
 				if (iap->ia_addr.sin_family == AF_INET) {
+					tmp.s_addr =
+					    iap->ia_addr.sin_addr.s_addr;
 					if (td != NULL &&
 					    prison_ip(td->td_ucred, 0,
-					    &iap->ia_addr.sin_addr.s_addr))
+					    &tmp.s_addr))
 						continue;
 					ia = iap;
 					break;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009281917.o8SJHebT083134>